Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While the PR aligns with security best practices by pinning GitHub Actions to SHAs, several critical issues prevent approval. A significant logic error in .github/workflows/comment_issue.yml involves using environment variables in if conditions before they are available, likely leading to workflow failures. Additionally, there is a systemic mismatch where SHAs point to v3.0.0 while comments indicate v2.0.0. This discrepancy violates the acceptance criteria for clear maintenance and risks introducing breaking changes from the actions/github-script upgrade. Finally, several scripts lack safety checks for regex matching, which could lead to runtime TypeErrors.

About this PR

• Systemic scope issue: Step-level env blocks are not accessible to the if condition of the same step. This pattern is repeated across several steps in comment_issue.yml and will cause them to be skipped.
• Systemic version mismatch: The SHA 6e5ee1dc... corresponds to v3.0.0, but the code comments across all workflow files label it as v2.0.0. This should be unified to avoid configuration drift.

Test suggestions

• Verify that the 'Comment issue on Jira' workflow still triggers and successfully executes steps with pinned SHAs.
• Verify that the 'Create issue on Jira' workflow still triggers and successfully executes steps with pinned SHAs.
• Verify that the 'Create issue on Jira when labeled' workflow still triggers and successfully executes steps with pinned SHAs.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the 'Comment issue on Jira' workflow still triggers and successfully executes steps with pinned SHAs.
2. Verify that the 'Create issue on Jira' workflow still triggers and successfully executes steps with pinned SHAs.
3. Verify that the 'Create issue on Jira when labeled' workflow still triggers and successfully executes steps with pinned SHAs.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The if condition for this step (and those at lines 68 and 83) will always evaluate to false because env.GITHUB_ISSUE_TYPE and env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL are defined within the env block of the step itself, which is not accessible to the step's own if condition. Use the outputs from the check steps directly.

Try running the following prompt in your coding agent:

Fix the if conditions in .github/workflows/comment_issue.yml by replacing env.GITHUB_ISSUE_TYPE with steps.github_issue_type.outputs.result and env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL with steps.github_issue_has_jira_issue_label.outputs.result in all steps.

[codacy-production]

_{🟡 MEDIUM RISK}

The pinned SHA points to v3.0.0, while the comment states v2.0.0. If you intended to remain on version 2, update the SHA to match the version in the comment.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@04084803d29a6566d8e874983b63297a77e80f49 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The pinned SHA points to v3.0.0, while the comment states v2.0.0. If you intended to remain on version 2, update the SHA to match the version in the comment.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@04084803d29a6566d8e874983b63297a77e80f49 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The pinned SHA for actions/github-script points to v3.0.0, while the comment states v2.0.0. If you intended to remain on version 2, use the correct SHA for v2.0.0 instead.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@04084803d29a6566d8e874983b63297a77e80f49 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

If GITHUB_TITLE does not match the jiraTaskRegex, match() will return null, and attempting to access index [1] will throw a TypeError, crashing the workflow step. Add a check to ensure a match was found before accessing its groups.

Try running the following prompt in your coding agent:

In .github/workflows/comment_issue.yml, update the script in the extract_jira_number step to safely handle cases where the title does not contain a Jira issue key in brackets.

[afsmeira]

I'll bypass the failing checks since they're unrelated to this PR.